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UNITED STATES DISTRICT COURT FOR THE 
WESTERN DISTRICT OF WASHINGTON 
AT SEATTLE 


UNITED STATES OF AMERICA, 
Plaintiff, 


CR18-159 JLA 


INDICTMENT 


ANDRIIKOLPAKOV, 
aka “Andrey Kolpakov,” 
aka “Andriy Kolpakov,” 
aka “Andre Kolpakov,” 
aka “Andrew Kolpakov,” 
aka “santisimo,” 
aka “santisimoz,” 
aka “AndreyKS,” 

Defendant. 


The Grand Jury charges that: 


DEFINITIONS 


1. IP Address: An Internet Protocol address (or simply “IP address”) is a 
unique numeric address used by devices, such as computers, on the Internet. Every 
device attached to the Internet must be assigned an IP address so that Internet traffic sent 
from and directed to that device may be directed properly from its source to its 
destination. Most Internet service providers control a range of IP addresses. 
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2. Server: A server is a computer that provides services for other computers 
connected to it via a network or the Internet. The computers that use the server’s services 
are sometimes called “clients.” Servers can be physically located anywhere with a 
network connection that may be reached by the clients; for example, it is not uncommon 
for a server to be located hundreds (or even thousands) of miles away from the client 
computers. A server may be either a physical or virtual machine. A physical server is a 
piece of computer hardware configured as a server with its own power source, central 
processing unit/s and associated software. A virtual server is typically one of many 
servers that operate on a single physical server. Each virtual server shares the hardware 
resources of the physical server but the data residing on each virtual server is segregated 
from the data on other virtual servers that reside on the same physical machine. 

3. Malware: Malware is malicious computer code running on a computer. 
Relative to the owner/authorized user of that computer, malware is computer code that is 
running on the system that is unauthorized and present on the system without the user’s 
consent. Malware can be designed to do a variety of things, including logging every 
keystroke on a computer, stealing financial information or “user credentials” (passwords 
or usernames), or commanding that computer to become part of a network of “robot” or 
“bot” computers known as a “botnet.” In addition, malware can be used to transmit data 
from the infected computer to another destination on the Internet, as identified by an IP 
address. Often times, these destination IP addresses are computers controlled by 
cybercriminals. 

4. The Carbanak malware: “Carbanak” is the name given by computer 
security researchers to a particular malicious software (malware) program. Carbanak has 
been used to remotely access computers without authorization. The Carbanak malware 
allows an attacker to spy on another person’s computer and remotely control the 
computer. Carbanak can record videos of the victim’s computer screen and send die 
recordings back to the attacker. It can also let the attacker use the victim computer to 
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attack other computers, and to steal files from the victim computer, and install other 
malware. All of this can be done without the legitimate user’s knowledge or permission. 

5. Bot: A “bot” computer is a computer that has been infected with some kind 
of malicious software or code and is thereafter subject to control by someone other than 
the true owner. The true owner of the infected computer usually remains able to use the 
computer as he did before it was infected, although speed or performance may be 
compromised. 

6. Botnet: A “botnet” is a network of compromised computers known as 
“bots” that are under the control of a cybercriminal or “bot herder.” The bots are 
harnessed by the bot herder through the surreptitious installation of malware that provides 
the bot herder with remote access to, and control of, the compromised computers. A 
botnet may be used en masse, in a coordinated fashion, to deliver a variety of Internet- 
based attacks, including DDoS attacks, brute force password attacks, the transmission of 
spam emails, the transmission of phishing emails, and hosting communication networks 
for cybercriminals (e.g., acting as a proxy server for email communications). 

7. Phishing: Phishing is a criminal scheme in which the perpetrators use 
mass email messages and/or fake websites to trick people into providing information such 
as network credentials (e.g., usernames and passwords) that may later be used to gain 
access to a victim’s systems. Phishing schemes often utilize social engineering 
techniques similar to traditional con-artist techniques in order to trick victims into 
believing they are providing their information to a trusted vendor, customer, or other 
acquaintance. Phishing emails are also often used to trick a victim into clicking on 
documents or links that contain malicious software that will compromise the victim’s 
computer system. 

8. Spear Phishing: Spear phishing is a targeted form of phishing directed 
towards a specific individual, organization or business. Although often intended to steal 
data for malicious purposes, cybercriminals may also use spear phishing schemes to 
install malware on a targeted user’s computer. 
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9. Social Engineering: Social engineering is a skill developed over time by 
people who seek to acquire protected information through manipulation of social 
relationships. People who are skilled in social engineering can convince key individuals 
to divulge protected information or access credentials that the social engineer deems 
valuable to the achievement of his or her aims. 

10. Pen-Testing: Penetration testing, or pen-testing, is the practice of testing a 
computer system, network or computer application to find vulnerabilities that an attacker 
may exploit. 

COUNT 1 

(Conspiracy to Commit Wire and Bank Fraud) 

I. OFFENSE 

11. The allegations set forth in Paragraphs 1 through 10 and 21 through 25 of 
this Indictment are re-alleged and incorporated as if fully set forth herein. 

12. Beginning at a time unknown, but no later than September 2015, and 
continuing through on or after June 20,2018, at Seattle, within the Western District of 
Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Audrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, did 
knowingly and willfully combine, conspire, confederate and agree together to commit 
offenses against the United States, to wit: 

a. to knowingly and willfully devise and execute and attempt to 
execute, a scheme and artifice to defraud, and for obtaining money and property by 
means of materially false and fraudulent pretenses, representations, and promises; and in 
executing and attempting to execute this scheme and artifice, to knowingly cause to be 
transmitted in interstate and foreign commerce, by means of wire communication, certain 
signs, signals and sounds as further described below, in violation of Title 18, United 
States Code, Section 1343; 
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1 b. to knowingly and willfully devise and execute and attempt to 

2 execute, a scheme and artifice to defraud financial institutions, as defined by Title 18, 

3 United States Code, Section 20, and to obtain moneys, funds, and credits under the 

4 custody and control of the financial institutions by means of materially false and 

5 fraudulent pretenses, representations, and promises, in violation of Title 18, United States 

6 Code, Section 1344(1) and (2). 

7 II. OBJECTIVES OF THE CONSPIRACY 

8 13. The defendant, and others known and unknown to the Grand Jury, were 

9 part of a financially motivated cybercriminal conspiracy known variously as FIN7, the 

10 Carbanak Group, and the Navigator Group (referred to herein as “FIN7”). FIN7 consists 

11 of a group of criminal actors engaged in a sophisticated malware campaign targeting die 

12 computer systems of businesses, primarily in the restaurant, gaming, and hospitality 

13 industries, among others. 

14 14. The objectives of the conspiracy included hacking into protected computer 

15 networks using malicious software (hereinafter, “malware”) designed to provide the 

16 conspirators with unauthorized access to, and control of, victim computer systems. The 

17 objectives of the conspiracy further included conducting surveillance of victim computer 

18 networks, and installing additional malware on victim computer networks for the 

19 purposes of establishing persistence, and stealing money and property, including payment 

20 card (e.g., credit and debit) track data, financial information, and proprietary and non- 

21 public information. The objectives of the conspiracy further included using and selling 

22 the stolen data and information for financial gain in a variety of ways, including, but not 

23 limited to, using stolen payment card data to conduct fraudulent transactions across the 

24 United States and in foreign countries. 

25 III. MANNER AND MEANS OF THE CONSPIRACY 

26 15. The manner and means used to accomplish the conspiracy included the 

27 following: 

28 
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1 

a. FIN7 developed and employed various malware designed to 

2 

infiltrate, compromise, and gain control of the computer systems of victim companies 

3 

operating in the United States and elsewhere, including within the Western District of 

4 

Washington. FIN7 established and operated an infrastructure of servers, located in 

5 

various countries, through which FIN7 members coordinated activity to further the 

6 

scheme. This infrastructure included, but was not limited to, the use of command and 

7 

control servers, accessed through custom botnet control panels, that communicated with 

8 

and controlled compromised computer systems of victim companies. 

9 

b. FIN7 created a front company doing business as Combi Security to 

10 

facilitate the malware scheme by seeking to make the scheme’s illegal conduct appear 

11 

legitimate. Combi Security purports to operate as a computer security pen-testing 

12 

company based in Moscow, Russia and Haifa, Israel. As part of advertisements and 

13 

public internet pages for Combi Security, FIN7 portrayed Combi Security as a legitimate 

14 

penetration testing enterprise that hired itself out to businesses for the purpose of testing 

15 

their computer security systems. 

16 

c. Under the guise of a legitimate computer security company, FIN7, 

17 

doing business as Combi Security, recruited individuals with computer programming 

18 

skills, falsely claiming that the prospective employees would be engaged in legitimate 

19 

pen-testing of client computer networks. In truth and in fact, as each defendant and his 

20 

FIN7 co-conspirators well knew. Combi Security was a front company used to hire and 

21 

deploy hackers who were given tasks in furtherance of the FIN7 conspiracy. 

22 

d. FIN7 targeted victims in the Western District of Washington, and 

23 

elsewhere, using phishing techniques to distribute malware designed to gain unauthorized 

24 

access to, take control of, and exfiltrate data from the computer systems of various 

25 

businesses. FIN7’s targeted victims include more than 120 identified companies, 

26 

including, but not limited to, the following representative victim companies: 

27 

i. “Victim-1” referenced herein is the Emerald Queen Hotel and 

28 

Casino (EQC), a hotel and casino owned and operated by a federally recognized Native 
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1 American Tribe with locations in Pierce County, within the Western District of 

2 Washington. 

3 “Victim-2” referenced herein a 

4 public corporation headquartered in Seattle, within the Western District of Washington, 

5 with operations throughout the United States and elsewhere. 

6 iii. “Victim-3” referenced herein is Chipotle Mexican Grill, a 

7 U.S.-based restaurant chain with thousands of locations in the United States, including in 

8 the Western District of Washington, and in Canada and multiple European countries. 

9 iv. “Victim-4” referenced herein isHIHHI^^l a U.S.- 

10 based pizza parlor chain with hundreds of locations predominantly in the Western United 

11 States, including in the Western District of Washington. 

12 v. “Victim-5” referenced herein is BECU, a U.S.-based 

13 federally insured credit union headquartered in the Western District of Washington. 

14 vi. “Victim-6” referenced herein is Jason’s Deli, a U.S.-based 

15 casual delicatessen restaurant chain with hundreds of locations in the United States. 

16 vii. “Victim-7” referenced herein isHHH, an automotive 

17 retail and repair chain with hundreds of locations in the United States, including in the 

18 Western District of Washington. 

19 viii. “Victim-8” referenced herein is Red Robin Gourmet Burgers 

20 and Brews (Red Robin), a U.S.-based casual dining restaurant chain, founded in the 

21 Western District of Washington, with hundreds of locations in the United States, 

22 including in the Western District of Washington. 

23 ix. “Victim-9” referenced herein is Sonic Drive-in (Sonic), a 

24 U.S.-based drive-in fast-food chain with thousands of locations in the United States, 

25 including in the Western District of Washington. 

26 x, “Victim-10” referenced herein is Taco John’s, a U.S.-based 

27 fast-food restaurant chain with hundreds of locations in the United States, including in the 

28 Western District of Washington. 
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1 

e. FIN7 typically initiated its attacks by delivering, directly and 

2 

through intermediaries, a phishing email with an attached malicious file, using wires in 

3 

interstate and foreign commerce, to an employee of the targeted victim company. The 

4 

attached malicious file usually was a Microsoft Word (.doc or .docx) or Rich Text File 

5 

(.rtf) document with embedded malware. FIN7 used a variety of malware delivery 

6 

mechanisms in its phishing attachments including, but not limited to, weaponized 

7 

Microsoft Word macros, malicious Object Linking and Embedding (OLE) objects, 

8 

malicious visual basic scripts or JavaScript, and malicious embedded shortcut files (LNK 

9 

files). In some instances, the phishing email or attached file contained a link to malware 

10 

hosted on servers controlled by FIN7. The phishing email, through false representations 

11 

and pretenses, fraudulently induced the victim company employee to open the attachment 

12 

or click on the link to activate the malware. For example* when targeting a hotel chain, 

13 

the purported sender of the phishing email might falsely claim to be interested in making 

14 

a hotel reservation. By way of further example, when targeting a restaurant chain, the 

15 

purported sender of the phishing email might falsely claim to be interested in placing a 

16 

catering order or making a complaint about prior food service at the restaurant. 

17 

f. In certain phishing attacks, FIN7, directly and through 

18 

intermediaries, sent phishing emails to personnel at victim companies who had unique 

19 

access to internal proprietary and non-public company information, including, but not 

20 

limited to, employees involved with making filings with the United States Securities and 

21 

Exchange Commission (“SEC”). These emails used an email address that spoofed an 

22 

email address associated with the SEC’s electronic filing system, and induced the 

23 

recipients to activate the malware contained in the emails’ attachments. 

24 

g. In many of the FIN7 attacks, a FIN7 member, or someone hired by 

25 

FIN7 specifically for such purpose, would also call the victim company, using wires in 

26 

interstate and foreign commerce, to legitimize the phishing email and convince the victim 

27 

company employee to open the attached document using social engineering techniques. 

28 

For example, when targeting a hotel chain or a restaurant chain, a conspirator would 
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1 make a follow-up call falsely claiming that the details of a reservation request, catering 

2 order, or customer complaint could be found in the file attached to the previously 

3 delivered email, to induce the employee at the victim company to read the phishing 

4 email, open the attached file, and activate the malware. 

5 h. If the recipient activated the phishing email attachment or clicked on 

6 the link, the recipient would unwittingly activate the malware, and the computer on 

7 which it was opened would become infected and connect to one or more command and 

8 control servers controlled by FIN7 to report details of the newly infected computer and 

9 download additional malware. The command and control infrastructure relied upon 

10 various servers in multiple countries, including, but not limited to, the United States, 

11 typically leased using false information, such as alias names and fictitious information. 

12 i. FIN7 typically would install additional malware, including the 

13 Carbanak malware, to connect to additional FIN7 command and control servers to 

14 establish remote control of the victim computer. 

15 j. Once a victim’s computer was compromised, FIN7 would 

16 incorporate the compromised machine or “bot” into a botnet. 

17 k. FIN7 designed and used a custom botnet control panel to manage 

18 and issue commands to the compromised machines. 

19 1. Once a victim company’s computers were incorporated into the 

20 FIN7 botnet and remotely controlled by FIN7 ’ s malware, the group used this remote 

21 control and access to, among other things, install and manage additional malware, 

22 conduct surveillance, map and navigate the compromised computer network, compromise 

23 additional computers, exfiltrate files, and send and receive data. For instance, FIN7 often 

24 conducted surveillance on the victim’s computer network by, among other things, 

25 capturing screen shots and videos of victim computer workstations that provided the 

26 conspirators with additional information about the victim company computer network 

27 and non-public credentials for both generic company accounts and for actual company 

28 employees. 
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1 m. FIN7 used its access to the victim’s computer network and 

2 information gleaned from surveillance of the victim’s computer systems to install 

3 additional malware designed to target and extract particular information and property of 

4 value, including payment card data and proprietary and non-public information. For 

5 instance, FIN7 often utilized various “off-the-shelf’ software and custom malware, and a 

6 combination thereof, to extract and transfer data to a “loot” folder on one or more servers 

7 controlled by FIN7. 

8 n. FIN7 frequently targeted victim companies with customers who use 

9 payment cards while making legitimate point-of-sale purchases, such as victim 

10 companies in the restaurant, gaming, and hospitality industries. In those cases, FIN7 

11 configured malware to extract, copy, and compile the payment card data, and then to 

12 transmit the data from the victim computer systems to servers controlled by FIN7. 

13 o. For example, between approximately March 24,2017, and April 18, 

14 2017, FIN7 harvested payment card data from point-of-sale devices at certain Victim-3 

15 restaurant locations, including dozens of locations in the Western District of Washington. 

16 p. FIN7 stole millions of payment card numbers, many of which have 

17 been offered for sale through vending sites, including, but not limited to, Joker’s Stash, 

18 thereby attempting to generate millions of dollars of illicit profits. 

19 q. The payment card data were offered for sale to allow purchasers to 

20 falsely represent themselves as authorized users of the stolen payment cards and to use 

21 the stolen payment card information to purchase goods and services in fraudulent 

22 transactions throughout the United States and the world, resulting in millions of dollars in 

23 losses to, and thereby affecting, merchants and banks, including financial institutions, as 

24 defined in Title 18, United States Code, Section 20. For example, on or about March 10, 

25 2017, stolen payment card data related to accounts held at Victim-5, a financial 

26 institution headquartered in the Western District of Washington, compromised through 

27 the computer network intrusion of a victim company, was used to make unauthorized 

28 purchases at a merchant in Puyallup, Washington. 
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r. FIN7 members employed various techniques to conceal their 
identities, including simultaneously utilizing various leased servers that had been leased 
using false subscriber information, in multiple countries. 

s. FIN7 operated as a structured enterprise with a hierarchical 
command structure under which dozens of members with diverse skillsets could 
coordinate their malicious activity. Key members of the scheme included, but were not 
limited to: 

i. Fedir Hladyr, a systems administrator who, among other 
things, maintained servers and communication channels used by the organization. Fedir 
Hladyr played a leading managerial role by delegating tasks and by providing instruction 
to other members of the scheme. 

ii. Dmytro Fedorov, a high-level “pen-tester” who supervised 
other hackers specifically tasked with breaching the security of victims’ computer 
systems without the victims’ knowledge or consent. 

iii. ANDRIIKOLPAKOV, a high-level “pen-tester” who 
supervised other hackers responsible for breaching the security of victims’ computer 
systems without the victims’ knowledge or consent. 

t. FIN7 members typically communicated with one another and others 
through private communication channels to further their malicious activity. Among other 
channels, FIN7 conspirators communicated using Jabber, an instant messaging service 
that allows members to communicate across multiple platforms and that supports end-to- 
end encryption. 

u. For example, in Jabber communications with other FIN7 members, 
co-conspirator Dmytro Fedorov, using his alias “hotdima,” referenced using malware in 
connection with several specific victim companies, discussed using the administrative 
control panels to receive data from compromised computers, and identified several pen- 
testers working at his direction. 
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v. FIN7 members often communicated through a private HipChat 
server. HipChat is a group chat, instant messaging, and file-sharing program. FIN7 
members used its HipChat server to collaborate on malware and victim business 
intrusions, to interview potential recruits, and to upload and share exfiltrated data, such as 
stolen payment card data. As a system administrator, co-conspirator Fedir Hladyr created 
HipChat user accounts for FIN7 members that allowed them to access the server. 

w. Co-conspirator Fedir Hladyr also created and participated in multiple 
HipChat “rooms” with other FIN7 members and participated in the uploading and 
organization of stolen payment card data and malware. For example, on or about March 
14,2016, co-conspirator Fedir Hladyr uploaded an archive that contained numerous data 
files created by malware designed to steal data from point-of-sale systems that process 
payment cards. The files contained payment card numbers stolen from a victim company 
that had publicly reported a security breach that resulted in the compromise of tens of 
thousands of payment cards. By way of further example, co-conspirator Fedir Hladyr 
also set up and used a HipChat room titled “MyFile”, in which he was the only 
participant, and to which he uploaded malware used by FIN7 and stolen payment card 
information. 

x. FIN7 conspirators used numerous email accounts hosted by a variety 
of providers in the United States and elsewhere, which they often registered using false 
subscriber information. 

y. FIN7 conspirators frequently used the project management software 
JIRA, hosted on private virtual servers in various countries, to coordinate their malicious 
activity and to manage the assorted network intrusions. JIRA is a project management 
and issue-tracking program used by software development teams. FIN7 members 
typically created a “project” on the virtual JIRA server and then associated “issues” with 
the project, each issue akin to an issue directory or folder, for a victim company, which 
they used to collaborate and share details of the intrusion, to post victim company 
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intelligence, such as network mapping information, and to store and share exfiltrated 
data. 

z. For example, on about September 7,2016, co-conspirator Fedir 
Hladyr created an “issue” for Victim-6, to which FIN7 conspirators including ANDRII 
KOLPAKOV posted files containing internal credentials for the victim company’s 
computer network. 

aa. By way of further example, on multiple occasions in January 2017, 
co-conspirator Dmytro Fedorov and another FIN7 member posted to the FIN7 “issue” 
created for Victim-7, information about the victim company’s internal network and 
uploaded exfiltrated data, including stolen employee credentials. Similarly, on or about 
April 5,2017, Dmytro Fedorov created an “issue” for another victim company, Victim-9, 
and uploaded stolen user credentials from the victim company. 

bb. FIN7 conspirators knew that the scheme would involve the use of 
wires in both interstate and foreign commerce to accomplish the objectives of the 
scheme. For example, each defendant and his FIN7 co-conspirators knew that execution 
of the scheme necessarily caused the transmission of wire communications between the 
United States and one or more servers controlled by FIN7 located in foreign countries. 

All in violation of Title 18, United States Code, Section 1349. 

COUNTS 2 -15 
(Wire Fraud) 

16. The allegations set forth in Paragraphs 1 through 15 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 

I. SCHEME AND ARTIFICE TO DEFRAUD 

17. Beginning at a time unknown, but no later than September 2015, and 
continuing through on or after June 20,2018, at Seattle, within the Western District of 
Washington, and elsewhere, the defendant, ANDRII KOLPAKOV, aka “Audrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
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“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, 
devised and intended to devise a scheme and artifice to defraud and to obtain money and 
property by means of materially false and fraudulent pretenses, representations and 
promises. 

18. The essence of the scheme and artifice to defraud was to obtain 
unauthorized access into, and control of, the computer networks of victims through deceit 
and materially false and fraudulent pretenses and representations, through the installation 
and use of malware designed to facilitate, among other things, the installation of 
additional malware, the sending and receiving of data, and the surveillance of the 
victims’ computer networks. The object of the scheme and artifice to defraud was to 
steal money and property of value, including payment card data and proprietary and non¬ 
public information, which was, and could have been, sold and used for financial gain. 

H. MANNER AND MEANS OF SCHEME TO DEFRAUD 

19. The manner and means of the scheme and artifice to defraud are set forth in 
Paragraph 15 of Count 1 of this Indictment. 

m. EXECUTION OF SCHEME TO DEFRAUD 

20. On or about the dates set forth below, within the Western District of 
Washington, and elsewhere, the defendant, and others known and unknown to the Grand 
Jury, having devised a scheme and artifice to defraud, and to obtain money and property 
by means of materially false and fraudulent pretenses, representations, and promises, did 
knowingly transmit and cause to be transmitted writings, signs, signals, pictures, and 


sounds, for the purpose of executing such scheme, by means of wire communication in 
interstate and foreign commerce, including the following transmissions: 


.-V/' 


2 

August 8,2016 

Victim-1 

Pierce County 

Email fromjust_etravel@yahoo.com, 
which traveled through a server 
located outside the State of 
Washington, to a Victim-1 employee, 
located within the State of 
Washington 
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August 8,2016 

Victim-1 

Pierce County 

Email from frankjohnson@revital- 
travel.com, which traveled through a 
server located outside the State of 
Washington, to a Victim-1 employee, 
located within the State of 
Washington 

August 8,2016 

Victim-1 

Pierce County 

Electronic communication between a 
server located outside the State of 
Washington, and Victim-Ts computer 
system, located within the State of 
Washington 


February 21,2017 


Victim-2 

Seattle 


February 23, 2017 


March 24,2017 


March 25, 2017 


March 25, 2017 


Victim-2 

Seattle 


Victim-3 

4120 196 th St SW, 
Suite 150, 
Lynnwood 

Victim-3 
1415 Broadway, 
Seattle 


Victim-3 

800 156 th Ave NE, 
Bellevue 


Email purporting to be from a 
government account, which traveled 
through a server located outside the 
State of Washington, to a Victim-2 
employee, located within the State of 

__ Washington _ _ 

Electronic communication between a 
server located outside the State of 
Washington, and Victim-2’s computer 
system, located within the State of 

_ Washington __ 

Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 

_ Washington __ 

Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 

_ Washington _ 

Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 
Washington 
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1 



March 25,2017 


March 25,2017 


March 27,2017 


April 11,2017 


April 11,2017 


Victim-3 

4 Beilis Fair Pkwy, 
Bellingham 


Victim-3 
775 NW Gilman 
Blvd, Suite A, 
Issaquah 


Victim-3 
515 SE Everett 
Mall Way, Suite B, 
Everett 

Victim-3 
22704 SE 4th St, 
Suite 210, 
Sammamish 


Victim-4 

Renton 


March 10, 2017 


Victim-5 

Puyallup 


Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 
Washington 


Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 

Washington ___ 


Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 

_ Washington _ 

Electronic communication between a 
server, located outside the State of 
Washington, and Victim-3’s computer 
system, located within the State of 

Washington __ 

Email from 

oliver_palmer@yahoo.com, which 
traveled through a server located 
outside the State of Washington, to a 
Victim-4 employee, located within the 

_ State of Washington __ 

Electronic communication between a 
merchant, located within the State of 
Washington, and a payment processor 
server, located outside the State of 
Washington 


All in violation of Title 18, United States Code, Section 1343. 

COUNT 16 

(Conspiracy to Commit Computer Hacking) 

21. The allegations set forth in Paragraphs 1 through 20 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 
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I. OFFENSE 

22. Beginning at a time unknown, but no later than September 2015, and 
continuing through on or after June 20,2018, at Seattle, within the Western District of 
Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Audrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, did 
knowingly and willfully combine, conspire, confederate and agree together to commit 
offenses against the United States, to wit: 

a. to knowingly and with intent to defraud, access a protected computer 
without authorization and exceed authorized access to a protected computer, and by 
means of such conduct further the intended fraud and obtain anything of value exceeding 
$5,000.00 in any 1-year period, in violation of Title 18, United States Code, Sections 
1030(a)(4) and (c)(3)(A); and 

b. to knowingly cause the transmission of a program, information, 
code, and command, and as a result of such conduct, intentionally cause damage without 
authorization to a protected computer, and cause loss to one or more persons during a 1- 
year period aggregating at least $5,000.00 in value and damage affecting 10 or more 
protected computers during a 1-year period, in violation of Title 18, United States Code, 
Sections 1030(a)(5)(A) and (c)(4)(B)(i). 

II. OBJECTIVES OF THE CONSPIRACY 

23. The objectives of the conspiracy included hacking into protected computer 
networks using malware designed to provide the conspirators with unauthorized access 
to, and control of, victim computer systems. The objectives of the conspiracy further 
included conducting surveillance of victim computer networks and installing additional 
malware on the victim computer networks for the purposes of establishing persistence, 
and stealing payment card track data, financial information, and proprietary, private, and 
non-public information, with the intention of using and selling such stolen items, either 
directly or indirectly, for financial gain. The objectives of the conspiracy further 
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1 

included installing malware that would integrate victim computers into a botnet that 

2 

allowed the conspiracy to control, alter, and damage compromised computers. 

3 

HI. MANNER AND MEANS OF THE CONSPIRACY 

4 

24. The manner and means used to accomplish the conspiracy are set forth in 

5 

Paragraph 15 of Count 1 of this Indictment. 

6 

IV. OVERTACTS 

7 

25. In furtherance of the conspiracy, and to achieve the objects thereof, the 

8 

defendant, and others known and unknown to the Grand Jury, did commit and cause to be 

9 

committed, the following overt acts, among others, in the Western District of Washington 

10 

and elsewhere: 

11 

a. As part of its command and control infrastructure, FIN7 used a 

12 

number of physical servers in different countries to host virtual communication servers. 

13 

In addition to other channels of communication, FIN7 members used virtual HipChat, 

14 

JIRA, Mumble, and Jabber servers to collaborate and coordinate their attacks. 

15 

b. For example, FIN7 maintained a virtual Jabber server through which 

16 

members could communicate privately. Among other Jabber communications made in 

17 

furtherance of the conspiracy: 

18 

i. On or about April 14, 2016, a FIN7 member informed 

19 

ANDRIIKOLPAKOV that a particular individual and Fedir Hladyr were the “main” 

20 

directors of the group. 

21 

ii. On or about April 15,2016, a FIN7 member informed 

22 

ANDRII KOLPAKOV that a particular individual was the “chief manager.” 

23 

iii. On or about January 12,2017, a FIN7 member introduced 

24 

himself to a new FIN7 recruit, explained how the member’s salary would be paid, and 

25 

indicated that ANDRII KOLPAKOV would be his supervisor. 

26 

iv. On or about May 29,2017, ANDRII KOLPAKOV informed 

27 

Dmytro Fedorov that KOLPAKOV had successfully located point-of-sale data and 

28 

accounting technology on a victim company’s network. 
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V. 


1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


v. On or about September 18,2017, ANDRIIKOLPAKOV and 
Dmytro Fedorov discussed the file types used in phishing emails, and KOLPAKOV 
informed Fedorov of the development of an enhanced malware file that can activate 
without being double-clicked upon by the phishing email recipient. 

Victim-1 


c. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of Victim-1, a hotel and casino in the Western 
District of Washington. For instance, 

i. On or about August 8,2016, the conspiracy, directly and 
through intermediaries, used the accoimtjust_etravel@yahoo.com to send a phishing 
email, with the subject “order,” to an employee of Victim-1 located in Tacoma, 

Washington, with an attached Microsoft Word document that contained malware. The 
email contained materially false representations designed to induce the targeted employee 
to open enable the malware, and compromise the computer system. 

ii. On or about August 8, 2016, the conspiracy, directly and 
through intermediaries, used the account frankjohnson@revital-travel.com to send a 
phishing email, with the subject “order,” to an employee of Victim-1 located in Tacoma, 
Washington, with an attached Microsoft Word document that contained malware. The 
email contained materially false representations designed to induce the targeted employee 
to enable the malware, and compromise the computer system. 

iii. Under the control of the conspiracy’s malware, a 
compromised computer of Victim-1 communicated with a command and control server 
located in a foreign country. For instance, from August 8,2016, to August 9,2016, and 
from August 24,2016 to August 31,2016, a compromised Victim-1 computer logged 
approximately 3,639 communications with various URLs all starting with “revital- 
travel.com” at an IP address hosted in Russia. 

Indictment / United States v. Kolpakov - 19 UNITED STATES ATTORNEY 

700 Stewart Street, Suite 5220 
Seattle, Washington 98101 
(206)553-7970 



1 

2 

3 

4 

5 

6 

7 

8 
9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 

23 

24 

25 

26 

27 

28 


Victim-6 

d. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of Victim-6, a restaurant chain with locations in 
multiple states. For instance, 

i. On or about August 25,2016, the conspiracy, directly and 
through intermediaries, used the account revital.travel@yahoo.com to send a phishing 
email to an employee of Victim-6, with an attached Microsoft Word document that 
contained malware. The email contained materially false representations designed to 
induce the targeted employee to enable the malware, and compromise the computer 
system. 

ii. On or about September 7, 2016, co-conspirator Fedir Hladyr 
created an “issue” on the conspiracy’s private JIRA server specifically related to Victim- 
6, to which ANDRIIKOLPAKOV subsequently uploaded comments and stolen 
information pertaining to Victim-6’s network structure and administrative credentials. 

Victim-7 

e. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of Victim-7, an automotive retail and repair chain 
with hundreds of locations in multiple states, including Washington. For instance, 

i. On or about January 18,2017, a FIN7 member created an 
“issue” on the conspiracy’s private JIRA server specifically related to Victim-7, to which 
that individual and Dmytro Fedorov subsequently posted results from several network 
mapping tools used on Victim-7’s internal network. 

ii. On or about January 20,2017, a FIN7 member posted 
exfiltrated data, including multiple usernames and passwords with the title “Server 
Passwords,” to the Victim-7 JIRA “issue.” 
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1 iii. On or about January 23, and January 24,2017, Dmytro 

2 Fedorov posted information about Victim-7’s internal network and uploaded a file 

3 containing multiple IP addresses and information about Victim-7’s servers to the Victim- 

4 7 JIRA “issue.” 

5 iv. On or about January 27,2017, Dmytro Fedorov uploaded to 

6 the Victim-7 JIRA “issue” a file containing over 1,000 usernames and passwords for 

7 generic company accounts and employee accounts. The potentially compromised 

8 accounts related to approximately 700 Victim-7 locations throughout the United States, 

9 including approximately 12 locations located in the state of Washington. 

10 Victim-2 

11 f. The conspiracy compromised, illegally accessed, had unauthorized 

' 12 communications with, and exfiltrated proprietary, private, and non-public victim data and 

13 information from the computer systems of Victim-2, a corporation headquartered in 

14 Seattle, Washington. For instance, 

15 i. On or about February 21, 2017, the conspiracy, directly and 

16 through intermediaries, used an account purporting to be filings@sec.gov (but that 

17 actually was sent by secureserver.net) to send a phishing email to an employee of Victim- 

18 2 located in Seattle, Washington, with an attached Microsoft Word document that 

19 contained malware. The email falsely purported to relate to a corporate filing with the 

20 SEG and contained materially false representations designed to induce the targeted 

21 employee to open the file, enable the malware, and compromise the computer system. 

22 ii. From on or about February 21,2017, to approximately 

23 March 3,2017, the conspiracy illegally accessed and had communications with the 

24 computer systems of Victim-2 located in Seattle, Washington. For instance, between 

25 about February 23,2017, and February 24, 2017, the victim computer made outgoing 

26 connections to and transferred internal data, without authorization, to an IP address 

27 located in a foreign country. 

28 
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iii. On or about February 24,2017, a FIN7 member posted to a 
JERA “issue” created for Victim : 2, a screenshot from the targeted employee’s computer 
at Victim-2, which showed, among other things, an internal Victim-2 webpage available 
only to employees with a valid user account. 

iv. Similarly, a FIN7 member posted to the Victim-2 JIRA 
“issue” a text file containing the usernames and passwords of the targeted Victim-2 
employee, including his/her personal email account, Linkedln account, and personal 
investment and financial institution accounts. 

Victim-3 

g. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of Victim-3, a restaurant chain with thousands of 
locations, including the State of Washington. From approximately March 24,2017 to 
April 18,2017, the conspiracy accessed computer systems of Victim-3 and implanted 
malware designed to harvest payment card data from cards used on point-of-sale devices 
at restaurant locations nationwide, including approximately 33 locations within the 
Western District of Washington. 

Victim-8 

h. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of Victim-8, a restaurant chain with hundreds of 
locations in multiple states, including Washington. For instance, 

i. On or about March 27, 2017, the conspiracy, directly and 
through intermediaries, used the account ray.donovan84@yahoo.com, to send a phishing 
email to a Victim-8 employee, with an attached Microsoft Word document that contained 
malware. The email falsely purported to convey a customer complaint and contained 
additional materially false representations designed to induce the targeted employee to 
enable the malware, and compromise the computer system. 
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1 ii. On or about March 29,2017, a FIN7 member created an 

2 “issue” on the conspiracy’s private JIRA server specifically related to Victim-8 and 

3 posted results from several network mapping tools used on Victim-8’s internal network. 

4 iii. On or about March 31, 2017, a FIN7 member posted a link to 

5 the point-of-sale software management solution used by Victim-8, and a username and 

6 password to the Victim-8 JIRA “issue.” The software management tool allows a 

7 company to manage point-of-sale systems at multiple locations. The FIN7 member also 

8 uploaded several screenshots presumably from one or more victim computers at Victim- 

9 8, which showed, among other things, the user logged into Victim-8’s account for the 

10 software management tool. 

11 iv. On or about April 6, 2017, a FIN7 member uploaded to the 

12 Victim-8 JIRA “issue” a file containing hundreds of usernames and passwords for 

13 approximately 798 Victim-8 locations, including 37 locations located in the State of 

14 Washington. The file included network information, telephone communications, and 

15 locations of alarm panels within restaurants. 

16 v. On or about April 7,2017, a FIN7 member uploaded to the 

17 Victim-8 JIRA “issue” a similar file containing numerous usernames and passwords for 

18 Victim-8 locations. 

19 vi. On or about May 5, 2017, a FIN7 member uploaded to the 

20 Victim-8 JIRA “issue” a file containing file directories on a compromised computer. 

21 vii. On or about May 8,2017, a FIN7 member uploaded to the 

22 Victim-8 JIRA “issue” exfiltrated files related to a password management system from a 

23 compromised computer, which contained the credentials, usernames, and passwords of a 

24 particular employee. 

25 viii. On or about May 15,2017, a FIN7 member uploaded to the 

26 Victim-8 JIRA “issue” screenshots of a compromised computer that showed the 

27 employee accessing Victim-8’s security infrastructure management software using that 

28 same employee’s credentials. 
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Victim-9 

i. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of one or more locations of Victim-9, a fast-food 
restaurant chain with thousands of locations throughout the United States, including 
Washington. For instance, 

i. The conspiracy, directly and through intermediaries, sent 
phishing emails with an attached file that contained malware to multiple Victim-9 
locations. For instance, on or about April 7, 2017, the conspiracy used the account 
oliver_palmer@yahoo.com to send a phishing email to a Victim-9 location in the State of 
Oregon. The email contained materially false representations designed to induce the 
targeted employee to open the file, enable the malware, and compromise the computer 
system. 

ii. On or about April 5,2017, Dmytro Fedorov, created an 
“issue” on the conspiracy’s private JIRA server specifically related to Victim-9 to which 
one or more FIN7 members subsequently posted usernames and passwords for Victim-9 
locations, including a Victim-9 location in Vancouver, Washington. 

Victim-4 

j. The conspiracy compromised, illegally accessed, had unauthorized 
communications with, and exfiltrated proprietary, private, and non-public victim data and 
information from the computer systems of one or more locations of Victim-4, a pizza 
parlor chain with hundreds of locations, including in Washington. For instance, 

i. On or about April 11,2017, the conspiracy, directly and 
through intermediaries, used the account oliver_palmer@yahoo.com, to send a phishing 
email, with the subject “claim,” to an employee of a Victim-4 located in Renton, 

Washington, with an attached Rich Text Format (.rtf) document that contained malware. 

The email falsely purported to convey a customer complaint and contained additional 
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1 materially false representations designed to induce the targeted employee to enable the 

2 malware, and compromise the computer system. 

3 ii. On or about April 11,2017, the conspiracy, directly and 

4 through intermediaries, used the account oliver_palmer@yahoo.com, to send a phishing 

5 email, with the subject “claim,” to an employee of a Victim-4 located in Vancouver, 

6 Washington, with an attached Rich Text Format (.rtf) document that contained malware. 

7 The email falsely purported to convey a customer complaint and contained additional 

8 materially false representations designed to induce the targeted employee to enable the 

9 malware, and compromise the computer system. 

10 iii. On or about May 25,2017, the conspiracy, directly and 

11 through intermediaries, used the account Adrian. 1987clark@yahoo.com, to send a 

12 phishing email, with the subject “takeout order,” to an employee of a Victim-4 located in 

13 or around Spokane, Washington, with an attached Rich Text Format (.rtf) document that 

14 contained malware. The email falsely stated that the sender had a large takeout order and 

15 contained additional materially false representations designed to induce the targeted 

16 employee to enable the malware, and compromise the computer system. 

17 Victim-10 

18 k. The conspiracy compromised, illegally accessed, had unauthorized 

19 communications with, and exfiltrated proprietary, private, and non-public victim data and 

20 information from the computer systems of one or more locations of Victim-10, a fast- 

21 food restaurant chain with hundreds of locations in various states, including Washington. 

22 For instance, 

23 i. On or about May 24,2017, a FIN7 member created an “issue” 

24 on the conspiracy’s private JIRA server specifically related to Victim-10, to which other 

25 FIN7 members subsequently posted information relating to the intrusion of computer 

26 systems and exfiltrated data, including files containing passwords and screenshots from 

27 one or more compromised computers. 

28 
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1 ii. On or about June 12,2017, the conspiracy, directly and 

2 through intermediaries, used the account Adrian. 1987clark@yahoo.com, to send a 

3 phishing email, with the subject “order.catering,” to an employee of a Victim-10 located 

4 in Iowa, with an attached Rich Text Format (.rtf) document that contained malware. The 

5 email falsely stated that the sender had a catering order for the following day and 

6 contained additional materially false representations designed to induce the employee to 

7 enable the malware, and compromise the computer system. 

8 iii. From on or about June 12, 2017, to a date unknown, the 

9 conspiracy illegally accessed and had communications with the computer systems of the 

10 Victim-10 located in Iowa. For instance, the conspiracy transferred, without 

11 authorization, proprietary, private, and non-public victim data and information, including 

12 usernames and passwords, to a JIRA server managed by FIN7, located in a foreign 

13 country. On or about June 14, 2017, a FIN7 member uploaded a variety of information 

14 including recommendations for attack vectors FIN7 members could use to access Victim- 

15 10’s internal network. 

16 All in violation of Title 18, United States Code, Section 371. 

17 

18 COUNTS 17 - 19 

19 (Accessing a Protected Computer in Furtherance of Fraud) 

20 26. The allegations set forth in Paragraphs 1 through 25 of this Indictment are 

21 re-alleged and incorporated as if fully set forth herein. 

22 27. On or about the dates listed below, within the Western District of 

23 Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Andrey 

24 Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 

25 “santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, 

26 knowingly and with intent to defraud accessed a protected computer without 

27 authorization and in excess of authorized access, and by means of such conduct furthered 

28 the intended fraud and obtained something of value, specifically, payment card data and 
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1 proprietary and non-public information, whereby the object of the fraud and the thing 

2 obtained consisted of more than the use of the computers and the value of such use was 

3 more than $5,000 in a 1-year period, as listed below: 



' . 


17 

August 8,2016 through October 4,2016 

Victim-1 

18 

February 21,2017 through March 3,2017 

Victim-2 

19 

March 24,2017 through April 18, 2017 

Victim-3 



All in violation of Title 18, United States Code, Sections 1030(a)(4), 1030(b), 
1030(c)(3)(A) and 2. 

COUNTS 20 - 22 

(Intentional Damage to a Protected Computer) 

28. The allegations set forth in Paragraphs 1 through 27 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 

29. On or about the dates listed below, within the Western District of 
Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Audrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, 
knowingly caused the transmission of a program, information, code, and command, and 
as a result of such conduct, intentionally caused damage without authorization, to a 
protected computer, specifically, the protected computer system of the victim listed 
below, and the offense caused (i) loss to one or more persons during a 1-year period 
aggregating at least $5,000.00 in value and (ii) damage affecting 10 or more protected 
computers during a 1-year period: 


20 

August 8, 2016 through October 4,2016 

Victim-1 

21 

February 21,2017 through March 3,2017 

Victim-2 

22 

March 24,2017 through April 18, 2017 

Victim-3 


All in violation of Title 18, United States Code, Sections 1030(a)(5)(A), 1030(b), 
1030(c)(4)(B), and 2. 
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COUNT 23 
(Access Device Fraud) 

30. The allegations set forth in Paragraphs 1 through 29 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 

31. Beginning at a time unknown, and continuing through on or after June 20, 
2018, within the Western District of Washington, and elsewhere, the defendant, ANDRII 
KOLPAKOV, aka “Andrey Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” 

“Andrew Kolpakov,” “santisimo,” “santisimoz,” and “AndreyKS,” and others known and 
unknown to the Grand Jury, knowingly and with intent to defraud, possessed fifteen or 
more counterfeit and unauthorized access devices, namely, payment card data, account 
numbers, and other means of account access that can be used, alone and in conjunction 
with another access device, to obtain money, goods, services, and any other thing of 
value, and that can be used to initiate a transfer of funds; said activity affecting interstate 
and foreign commerce 

All in violation of Title 18, United States Code, Sections 1029(a)(3), 1029(b)(1), 
1029(c)(1)(A), and 2. 

COUNT 24 

(Aggravated Identity Theft) 

32. The allegations set forth in Paragraphs 1 through 31 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 

33. Beginning at a time unknown, but no earlier than on or about February 21, 
2017, and no later than March 3,2017, and continuing through on or after November 21, 
2017, at Seattle, within the Western District of Washington, and elsewhere, the 
defendant, ANDRII KOLPAKOV, aka “Andrey Kolpakov,” “Andriy Kolpakov,” “Andre 
Kolpakov,” “Andrew Kolpakov,” “santisimo,” “santisimoz,” and “AndreyKS,” and 
others known and unknown to the Grand Jury, did knowingly transfer, possess, and use, 
without lawful authority, a means of identification of another person, to wit: the name, 
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username, and password of a real person, J.Q., an employee of Victim-2, during and in 
relation to a felony violation enumerated in 18 U.S.C. § 1028A(c), that is, conspiracy to 
commit wire and bank fraud, in violation of 18 U.S.C. § 1349, as charged in Count 1, and 
wire fraud, in violation of 18 U.S.C. § 1343, as charged in Counts 5 and 6, knowing that 
the means of identification belonged to another actual person. 

All in violation of Title 18, United States Code, Sections 1028A(a) and 2. 

COUNT 25 

(Aggravated Identity Theft) 

34. The allegations set forth in Paragraphs 1 through 33 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 

35. Beginning at a time unknown, but no later than on or about May 8,2017, 
and continuing through on or after November 21,2017, within the Western District of 
Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Andrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, did 
knowingly transfer, possess, and use, without lawful authority, a means of identification 
of another person, to wit: the name, employee credentials, username, and password of a 
real person, N.M., an employee of Victim-8, during and in relation to a felony violation 
enumerated in 18 U.S.C. § 1028A(c), that is, conspiracy to commit wire and bank fraud, 
in violation of 18 U.S.C. § 1349, as charged in Count 1, knowing that the means of 
identification belonged to another actual person. 

All in violation of Title 18, United States Code, Sections 1028A(a) and 2. 

COUNT 26 

(Aggravated Identity Theft) 

36. The allegations set forth in Paragraphs 1 through 3 5 of this Indictment are 
re-alleged and incorporated as if fully set forth herein. 
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37. Beginning at a time unknown, but no later than on or about January 27, 

2017, and continuing through on or after November 21,2017, within the Western District 
of Washington, and elsewhere, the defendant, ANDRIIKOLPAKOV, aka “Andrey 
Kolpakov,” “Andriy Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” 
“santisimoz,” and “AndreyKS,” and others known and unknown to the Grand Jury, did 
knowingly transfer, possess, and use, without lawful authority, a means of identification 
of another person, to wit: the name, username, and password of real persons, B.C., C.H., 
E.L., J.M., A.P, R.O., T.T., and L.D., employees of Victim-7, during and in relation to a 
felony violation enumerated in 18 U.S.C. § 1028A(c), that is, conspiracy to commit wire 
and bank fraud, in violation of 18 U.S.G. § 1349, as charged in Count 1, knowing that the 
means of identification belonged to another actual person. 

All in violation of Title 18, United States Code, Sections 1028A(a) and 2. 

FORFEITURE ALLEGATION 

38. The allegations contained in Counts 1 through 15 of this Indictment are 
hereby realleged and incorporated by reference for the purpose of alleging forfeitures 
pursuant to Title 18, United States Code, Section 981(a)(1)(C) and Title 28, United States 
Code, Section 2461(c). Upon conviction of any of the offenses charged in Counts 1 
through 15, the defendant, ANDRII KOLPAKOV, aka “Andrey Kolpakov,” “Andriy 
Kolpakov,” “Andre Kolpakov,” “Andrew Kolpakov,” “santisimo,” “santisimoz,” and 
“AndreyKS,” shall forfeit to the United States any property, real or personal, which 
constitutes or is derived from proceeds traceable to such offenses, including but not 
limited to a judgment for a sum of money representing the property described in this 
paragraph. 

39. The allegations contained in Counts 16 through 22 of this Indictment are 
hereby realleged and incorporated by reference for the purpose of alleging forfeitures 
pursuant to Title 18, United States Code, Sections 982(a)(2)(B) and 1030(i). Upon 
conviction of any of the offenses charged in Counts 16 through 22, the defendant shall 
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forfeit to the United States any property constituting, or derived from, proceeds the 
defendant obtained, directly or indirectly, as the result of such offenses, and shall also 
forfeit the defendant’s interest in any personal property that was used or intended to be 
used to commit or to facilitate the commission of such offenses, including but not limited 
to a judgment for a sum of money representing the property described in this paragraph. 

40. The allegations contained in Count 23 of this Indictment are hereby 
realleged and incorporated by reference for the purpose of alleging forfeitures pursuant to 
Title 18, United States Code, Sections 981(a)(1)(C) and 1029(c)(1)(C), and Title 28, 
United States Code, Section 2461(c). Upon conviction of the offense charged in Count 
23, the defendant shall forfeit to the United States any property, real or personal, which 
constitutes or is derived from proceeds traceable to such offense, and shall also forfeit 
any personal property used or intended to be used to commit such offense, including but 
not limited to a judgment for a sum of money representing the property described in this 
paragraph. 

{Substitute Assets) 

41. If any of the property described above, as a result of any act or omission of 
the defendant: 

a. cannot be located upon the exercise of due diligence; 

b. has been transferred or sold to, or deposited with, a third party; 

c. has been placed beyond the jurisdiction of the court; 

d. has been substantially diminished in value; or 

e. has been commingled with other property which cannot be divided 
without difficulty, 

// 

// 
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the United States of America shall be entitled to forfeiture of substitute property pursuant 
to Title 21, United States Code, Section 853(p), as incorporated by Title 28, United States 
Code, Section 2461(c). 

A TRUE BILL: "2-* Tiwe~ P 

DATED: 


(Signature of Foreperson redacted pursuant to 

policy of the Judicial Conference ) _ 

FOREPERSON 




Assistant United States Attorney 



ANTHONY TEELUCKSINGH 



Trial Attorney 

Computer Crime and Intellectual Property Section 
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